The goals of the kernel integrity subsystem are to detect if files have been accidentally or maliciously altered, both remotely and locally, appraise a file’s measurement against a “good” value stored as an extended attribute, and enforce local file integrity. These goals are complementary to Mandatory Access Control(MAC) protections provided by LSM modules, such as SElinux and Smack, which, depending on policy, can attempt to protect file integrity. The following modules provide serveral integrity functions:

Collect – measure a file before it is accessed.

Store– add the measurement to a kernel resident list and, if a hardware Trusted Platform Module (TPM) is present, extend the IMA PCR

Attest – if present, use the TPM to sign the IMA PCR value, to allow a remote validation of the measurement list.

Appraise – enforce local validation of a measurement against a “good” value stored in an extended attribute of the file.

IMA is an open source trusted computing component. IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list cannot be compromised by any software attack, without being detectable. Hence, on a trusted boot system, IMA can be used to attest to the system’s runtime integrity.